WCF 客户端无法与在不同机器上运行的服务协商安全访问 [英] WCF Client not able to negotiate security access with Service running in a different machine
问题描述
我正在尝试托管具有绑定wsDualHttpBinding"的 WCF 服务.当我从同一台机器上运行我的客户端和服务(托管在 IIS 中)时,它工作正常.但是,当我在另一台机器上托管服务时,我的客户端无法注册该服务.出现以下错误...
I'm trying to host a WCF Service with binding "wsDualHttpBinding". When I run my client and service(hosted in IIS) from the same machine it works fine. But, when I host the service in a different machine my client fails to register with the service. The following errors are coming...
[System.ServiceModel.Security.SecurityNegotiationEception]调用者未经身份验证服务.和内部例外:无法请求安全令牌满意,因为认证失败.
[System.ServiceModel.Security.SecurityNegotiationEception] The caller was not authenticated by the service. And inner exception: The request for security token could not be satisfied because authentication failed.
尝试从另一个工作组中的不同机器运行时,出现以下错误
When trying to run from a different machine in another workgroup the following error appears
"客户端无法完成内部安全谈判配置时间(00:00:00)"
"Client is unable to finish the security negotiation within the configured time(00:00:00)"
在 IIS6.0 中,我关闭了集成身份验证并允许匿名访问.
In the IIS6.0 I turned off the Integrated Authentication and allowed anonymous access.
我的服务的 Web.Config 如下:
My Service's Web.Config follows:
<system.serviceModel>
<diagnostics>
<messageLogging logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true"/>
</diagnostics>
<bindings>
<wsDualHttpBinding>
<binding name="StatTickerHttpBinding" bypassProxyOnLocal="false" useDefaultWebProxy="true" receiveTimeout="23:59:59">
<reliableSession ordered="true" inactivityTimeout="00:30:00"/>
</binding>
</wsDualHttpBinding>
</bindings>
<services>
<service name="StatTickerService" behaviorConfiguration="ServiceBehavior">
<!-- Service Endpoints -->
<endpoint address="" binding="wsDualHttpBinding" bindingConfiguration="StatTickerHttpBinding" contract="IBroadCastService">
<!--
Upon deployment, the following identity element should be removed or replaced to reflect the
identity under which the deployed service runs. If removed, WCF will infer an appropriate identity
automatically.
<identity>
<dns value="localhost"/>
</identity> -->
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<小时>
我的客户端 App.Config 遵循...
My Client App.Config follows...
<system.serviceModel>
<bindings>
<wsDualHttpBinding>
<binding name="WSDualHttpBinding_StatTickerBroadcastService"
closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
<reliableSession ordered="true" inactivityTimeout="00:30:00"/>
<security mode="Message">
<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default"/>
</security>
</binding>
</wsDualHttpBinding>
</bindings>
<client>
<endpoint address="http://192.168.100.77/TPS.StatTicker.WCFservice/Service.svc" binding="wsDualHttpBinding"
bindingConfiguration="WSDualHttpBinding_StatTickerBroadcastService"
contract="BroadcastGateway.StatTickerBroadcastService"
name="WSDualHttpBinding_StatTickerBroadcastService">
<identity>
<servicePrincipalName value="host/192.168.100.77"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
<小时>
客户端配置是通过使用 svcutil 完成的.
The Client side config is done by using svcutil.
过去 4 天,我搜索并尝试了 google 中给出的所有解决方案,但没有成功.请紧急帮助.
I searched and tried all the solutions given in the google for the past 4 days but no luck. Please help urgently.
推荐答案
如果我理解您的问题,那么听起来您在委派方面遇到了问题.
If I understand your issue, it sounds like you're having problems with delegation.
这就是我认为您正在尝试做的事情:
Here's what I think you're trying to do:
- 用户连接到网络服务
- 用户使用 Windows 身份验证 (kerberos) 进行身份验证
- 网络服务器冒充用户
- Web 服务器通过 WCF 连接到后端
- Web 服务器使用用户的凭据 (kerberos) 向后端进行身份验证
- 后端接受凭据并提供数据
需要发生的是您的后端必须信任您的网络服务器代表您行事,这称为委托.这是由域控制的,而不是自由给出的.
What needs to happen is your backend has to trust your web server to act on your behalf, called delegation. This is controlled by the domain and not freely given.
如果两台机器在同一个域中,域控制器必须将 Web 服务器配置为能够为用户委派.没有这个,网络上的任何机器都不会信任您代表用户运行的 Web 服务器.如果这一切都发生在同一台机器上,它会执行自己的委托.
If both machines are on the same domain, the domain controller has to configure the web server as able to delegate for users. Without this, no machines on the network will trust your web server acting on a user's behalf. If this all takes place on the same machine, it does its own delegation.
如果两台机器都在一个工作组中,我不知道你会怎么做.
If both machines are in a workgroup, I don't know what you would do.
这篇关于WCF 客户端无法与在不同机器上运行的服务协商安全访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
